Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 26 May 2022 19:35:46 +0200
From: Solar Designer <solar@...nwall.com>
To: Norbert Slusarek <nslusarek@....net>
Cc: oss-security@...ts.openwall.com, peterz@...radead.org
Subject: Re: CVE-2022-1729: race condition in Linux perf subsystem leads to local privilege escalation

Norbert,

Thank you for engaging in this discussion.  It helps.

On Thu, May 26, 2022 at 06:44:38PM +0200, Norbert Slusarek wrote:
> >What do you suggest we do regarding the LPE exploit you sent to
> >linux-distros?
> 
> I saw your reveal of linux-distros from 2020 and the exchange
> didn't include any text nor attachments. In that case, the
> exploit should remain private to linux-distros accordingly.

I don't know what "reveal of linux-distros from 2020" you refer to.  The
policy aspect in question (see below) is in effect since 2017, and I
don't recall us deviating from it.  Did we?

We have a published policy here:

https://oss-security.openwall.org/wiki/mailing-lists/distros#list-policy-and-instructions-for-reporters

which includes:

"If you shared exploit(s) that are not an essential part of the issue
description, then at your option you may slightly delay posting them to
oss-security but you must post the exploits to oss-security within at
most 7 days of making the mandatory posting above.  If you exercise this
option, you have two mandatory postings to make: first with a
sufficiently detailed issue description (as requested above) and with an
announcement of your intent to post the exploits separately (please
mention exactly when), and second with the exploits - or indeed you
could have included the exploits right away, in your first and only
mandatory posting."

Did you read this before posting?  If not, anything we should have done
to ensure you'd have read it?

> >What do you suggest we do with this policy aspect going forward, so that
> >people do not get into a situation where they're required to do
> >something they didn't want to subscribe to?
> 
> How is this policy aspect enforced in the first place?
> If it's not, I suggest you remove it entirely as there is no reason
> to have policies which cannot (and shouldn't) be enforced.

Reminders, like I am doing now (often in private, this time in public).
Failing that, list members technically can post the exploits themselves.
Finally, we can setup the list to automatically make all messages public
with a delay.

However, as you can see from another recent thread we're now in the
process of reconsidering list policy aspects, so might end up e.g.
extending the period from 7 to 30 days.  Would that work for you?

If people insist on keeping exploits sent to (linux-)distros private
forever, then I'll more likely either shut down the list instead or set
it up to automatically make all messages public.  After all, if people
send private messages to some list without reading its published policy
first, they accept that anything can happen with those messages.  Right?
Yet I've been reluctant to do that so far, as it's not ideal for social
and technical reasons.

> Overall, as a researcher I would prefer having a way just to inform
> distros of a bug, *without* being subject to these requirements.

I understand, yet I find that very problematic.

Also, you don't need to post an exploit (especially more than a PoC) to
the list "to inform distros of a bug".  You can literally just inform
them, and (if you don't accept the policy on forced publication of what
you share with the list) offer to privately share the exploit with
interested distros.  Then the exploit itself wouldn't be subject to the
forced publication.

Thanks again,

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.